cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

DCRUM 2017 CAS SSL Configuration issue

hmor3
Inactive

Hi Guys,

We have tried to configure SSL for CAS using steps as per below link

https://community.dynatrace.com/community/pages/vi...

title=Configuring+SSL+for+CAS+or+ADS&spaceKey=DCRUM124

1) Used below command to generate a Key & CSR from openssl

sudo openssl req -new -newkey rsa:2048 -nodes -out dynatrace_XXXXXX.csr -keyout dynatraceXXXXX.key -config req.conf

2) Received .cer file from CA

Question 1 :Now how do i get this chain.txt as described in the Documentation link ?

Questinon 2 : What is the role of keystore if i have used openssl?

Question 3 : after my step 2 , what all is needed to complete SSL configuration?

Thanks

Himanshu Mor

5 REPLIES 5

jaroslaw_orlows
Dynatrace Pro
Dynatrace Pro

Hi, have a look at the 2017 doc. It should be improved in comparison to the 12.4 one.

https://www.dynatrace.com/support/doc/dcrum/data-privacy-and-security/configuration/configuring-ssl-for-cas-or-ads/

Hello @Jaroslaw O. , thanks for the update!

But i cannot see any details about how to generate the chainfile even in the new version documentation.

Thanks

Himanshu Mor

Hello! What about steps 7 and 8?

7. Open root.cer and webserver.cer in Notepad. Append all contents from each file (Control-A) and merge both into a new text file. Make sure to merge them in the same order they were opened: root followed by webserver.

8. Save the merged file as chain.txt .

Hello @Jaroslaw O. , we have only received one .cer file.

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Himanshu,

Try the following procedure:


1. Create key:

keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]

2. Create cert request using names defined in previous step:

keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]

3. Send certificate request file (my_new_cert.csr in this example) out to sign

4. Make sure your certificate is in Base64 X509 format, if not - make proper conversion:

(a) In case you received your signed cert from root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.


(b) In case you received your signed cert from non-root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.
  • Repeat procedure for all Intermediate (there can be more than one) and Root certificates (e.g. root.cer & intermediate.cer).


5. Import signed user certificate.

keytool -import -alias tomcat –keystore [keystorename].jks –storepass [keystorepassword] -trustcacerts -file signed_cert.cer

6. Export key created at the begining to PKCS12 format.

keytool -importkeystore -srckeystore [keystorename].jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore pkey.p12

7. Convert exported PKCS12 binary file to PEM format

openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem

8. Configure the following settings in the /config/common.properties file:

  • Point connector.ssl.SSLCertificateFile to the signed certificate file converted to X509 (signed_cert.cer)
  • Point connector.ssl.SSLCertificateKeyFile to the key you generated using the keytool, for example pkey.pem.
  • Point connector.ssl.SSLCertificateChainFile to the chain of certificates, that is chain.txt you created by joining the contents of cer files.

9. Set the key password.

  • In Windows, go to Program and Features > Uninstall a program, select Dynatrace Central Analysis Server and click Uninstall/Change.
  • In CAS installation dialog, select Change HTTP and SSL Server settings and click Next.
  • Select Use HTTPS (HTTP over SSL) and Use custom key and certificate, and click Next.
  • Read the on-screen information, type and confirm the password and click Next. The key password is updated.
  • Restart the CAS service.